exfat: fix uninit-value in __exfat_get_dentry_set

namjaejeon · namjaejeon · commit 02dffe9ab092 · 2024-11-25T17:08:21.000+09:00
There is no check if stream size and start_clu are invalid.
If start_clu is EOF cluster and stream size is 4096, It will
cause uninit value access. because ei-&gt;hint_femp.eidx could
be 128(if cluster size is 4K) and wrong hint will allocate
next cluster. and this cluster will be same with the cluster
that is allocated by exfat_extend_valid_size(). The previous
patch will check invalid start_clu, but for clarity, initialize
hint_femp.eidx to zero.

Cc: stable@vger.kernel.org
Reported-by: syzbot+01218003be74b5e1213a@syzkaller.appspotmail.com
Tested-by: syzbot+01218003be74b5e1213a@syzkaller.appspotmail.com
Reviewed-by: Yuezhang Mo &lt;Yuezhang.Mo@sony.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
@@ -345,6 +345,7 @@ static int exfat_find_empty_entry(struct inode *inode,
 		if (ei->start_clu == EXFAT_EOF_CLUSTER) {
 			ei->start_clu = clu.dir;
 			p_dir->dir = clu.dir;
+			hint_femp.eidx = 0;
 		}
 
 		/* append to the FAT chain */

Original file line number	Diff line number	Diff line change
`@@ -345,6 +345,7 @@ static int exfat_find_empty_entry(struct inode *inode,`
`345`	`345`	`if (ei->start_clu == EXFAT_EOF_CLUSTER) {`
`346`	`346`	`ei->start_clu = clu.dir;`
`347`	`347`	`p_dir->dir = clu.dir;`
	`348`	`+ hint_femp.eidx = 0;`
`348`	`349`	`}`
`349`	`350`
`350`	`351`	`/* append to the FAT chain */`